KV Store communication fails with TLS errors after...

afx · ‎10-16-2025

After upgrading from 9.4.3 to 10.0.1 I run in the following TLS errors from mongod.log:

2025-10-16T08:59:56.224Z I  NETWORK  [listener] connection accepted from 127.0.0.1:34164 #1490 (1 connection now open)
2025-10-16T08:59:56.233Z E  NETWORK  [conn1490] SSL peer certificate validation failed: unsupported certificate purpose
2025-10-16T08:59:56.233Z I  NETWORK  [conn1490] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unsupported certificate purpose. Ending connection from 127.0.0.1:34164 (connection id: 1490)
2025-10-16T08:59:56.233Z I  NETWORK  [conn1490] end connection 127.0.0.1:34164 (0 connections now open)
2025-10-16T08:59:56.233Z W  NETWORK  [ReplicaSetMonitor-TaskExecutor] The server certificate does not match the host name. Hostname: 127.0.0.1 does not match SAN(s):

For the SAN all Domain names and the IO are listed, but not localhost.

Any ideas how to get around the multipurpose requirement? Our CA does not provide them. I can get around the 127.0.0.1 entry via options, but the purpose thing seems to be a showstopper.

KV Store communication fails with TLS errors after upgrading from 9.4.3 to 10.0.1

upgrade

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation